samba.git/source4/heimdal/kdc, branch master Unnamed repository; edit this file 'description' to name the repository. heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not overwritten 2015-01-23T04:42:07+00:00 Andrew Bartlett abartlet@samba.org 2015-01-20T22:45:45+00:00 891c4c6a403cc0904c37caaf500bb3a4e3a646c7 This change ensures that our RODC will correctly proxy when asked to provide a ticket for a service or user where the keys are not on this RODC. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> 
This change ensures that our RODC will correctly proxy when asked to provide
a ticket for a service or user where the keys are not on this RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
heimdal: Really bug in KDC handling of enterprise princs 2015-01-23T04:42:07+00:00 Nicolas Williams nico@cryptonector.com 2014-12-17T03:57:40+00:00 da4ac71eaba84fa6227b7d9f3adb204003ceaa70 The value of this commit to Samba is to continue to match Heimdal's upstream code in this area. Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL there is no runtime difference. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The value of this commit to Samba is to continue to match Heimdal's
upstream code in this area.  Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL
there is no runtime difference.

(commit message by Andrew Bartlett)

Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
heimdal: Fix bug in KDC handling of enterprise principals 2015-01-23T04:42:07+00:00 Nicolas Williams nico@cryptonector.com 2014-12-17T03:55:34+00:00 fe99c420b21933e0dc11a5c4193e9af4cbfc574e The useful change in Samba from this commit is that we gain validation of the enterprise principal name. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The useful change in Samba from this commit is that we gain
validation of the enterprise principal name.

(commit message by Andrew Bartlett)

Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
heimdal: Only indicate successful authentication after successful authz 2014-04-02T15:12:47+00:00 Andrew Bartlett abartlet@samba.org 2014-02-18T00:53:38+00:00 d202191f9c6f304cfd603b1a78a56bb5a33fec49 This is needed to match Windows behaviour for NTLM logins. Andrew Bartlett Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This is needed to match Windows behaviour for NTLM logins.

Andrew Bartlett

Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out 2014-04-02T15:12:47+00:00 Andrew Bartlett abartlet@samba.org 2013-11-25T01:13:02+00:00 580a705b83014e94556b9d5a8877406816e02190 Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
heimdal: Do not attempt password authentication for locked out accounts 2014-04-02T15:12:47+00:00 Andrew Bartlett abartlet@samba.org 2013-11-28T00:28:29+00:00 30bae409477da2c42d41ce2d42fa85b86d799c98 Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
heimdal: remove checking of KDC PAC signature, delegate to wdc plugin 2012-01-12T07:02:54+00:00 Andrew Bartlett abartlet@samba.org 2012-01-11T07:19:14+00:00 d087e715fc803eae735636b4ebbb4c0f131f9bb4 The checking of the KDC signature is more complex than it looks, it may be of a different enc type to that which the ticket is encrypted with, and may even be prefixed with the RODC number. This is better handled in the plugin which can easily look up the DB for the correct key to verify this with, and can also quickly determine if this is an interdomain trust, which we cannot verify the PAC for. Andrew Bartlett 
The checking of the KDC signature is more complex than it looks, it may be of a different
enc type to that which the ticket is encrypted with, and may even be prefixed
with the RODC number.

This is better handled in the plugin which can easily look up the DB for the
correct key to verify this with, and can also quickly determine if this is
an interdomain trust, which we cannot verify the PAC for.

Andrew Bartlett
heimdal: handle referrals for 3 part DRSUAPI SPNs 2011-10-04T04:08:57+00:00 Andrew Tridgell tridge@samba.org 2011-09-28T04:18:14+00:00 6b69ecd0293d827b7429cfd75cf4a13ab4e40ce5 This handles referrals for SPNs of the form E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/REALM, which are used during DRS replication when we don't know the dnsHostName of the target DC (which we don't know until the first replication from that DC completes). We use the 3rd part of the SPN directly as the realm name in the referral. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> 
This handles referrals for SPNs of the form
E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/REALM, which are
used during DRS replication when we don't know the dnsHostName of the
target DC (which we don't know until the first replication from that
DC completes).

We use the 3rd part of the SPN directly as the realm name in the
referral.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
heimdal: Try to handle the PAC checking when we are in a cross-realm environment 2011-09-05T09:19:25+00:00 Andrew Bartlett abartlet@samba.org 2011-09-05T02:17:11+00:00 b5c7eb909f21efd8abe212202236388ad6e8e7f9 






s4:heimdal: import lorikeet-heimdal-201107241840 (commit 0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
2011-07-26T00:16:08+00:00

Stefan Metzmacher
metze@samba.org

2011-07-25T16:51:53+00:00

5a8635bca1b6d60a5b81c602eb4f0b7fd8902d7b